Whats the difference between a Hardware Firewall and a software one ?
Is it more than having separate resource usage ?

Does a Hardware Firewall have some physical component that a normal PC does not have ?

Actually, a "hardware" firewall is a misnomer.

Hardware firewalls = routers. Routers are still based on software. But this software is burned\flashed to chip in the router. The router has a basic GUI that can be accessed in order to configure it. Different routers have varying levels of configuration available.

There is no additional resource usage placed on the PC when using a router since it requires no software to me installed on the connected PC(s).

Thanks.

What i'm trying to figure out is this :

I often see posts from people saying "I have a router so i'm ok" type of thing.

Why is this ?

Is it "router software" in general ?

Could this software not be installed on a PC ?

{QUOTE-> I often see posts from people saying "I have a router so i'm ok" type of thing.

Why is this ? <-QUOTE}


Properly configured, a good router is basically invisible to the outside Net while allowing the PC(s) behind it full functionality\access to the Net.

{QUOTE-> Is it "router software" in general ? <-QUOTE}

The software, usually referred to as Firmware when speaking of routers, though features vary from router to router.


{QUOTE-> Could this software not be installed on a PC ? <-QUOTE}

No. The router basically contains a bare bones operating system. It is intended for one thing and one thing only, perform the router functions. There is no install disk for it. It is pre-flashed to a chip on the circuit board of the router. It will not install or run from a hard drive.

A good software firewall can do that too..
I still don't see why routers are always considered superior to a software firewall on a PC ?
What is the difference that makes them "better" ?

One discussion stated that

{QUOTE-> A hardware firewall in a typical broadband router employs a technique called packet filtering, which examines the header of a packet to determine its source and destination addresses. This information is compared to a set of predefined and/or user-created rules that determine whether the packet is to be forwarded or dropped. A more advanced technique called Stateful Packet Inspection (SPI), looks at additional characteristics such as a packet's actual origin (i.e. did it come from the Internet or from the local network) and whether incoming traffic is a response to existing outgoing connections, like a request for a Web page. <-QUOTE}

Is there a technical reason why packet filtering and SPI could not be done in software firewall ?

{QUOTE-> A good software firewall can do that too..
I still don't see why routers are always considered superior to a software firewall on a PC ?
What is the difference that makes them "better" ? <-QUOTE}


A router is a totally stand alone unit. OS independent. There for it is not exploitable by other methods that may be able to exploit weakness`s with in the OS\FW interaction.


{QUOTE-> Is there a technical reason why packet filtering and SPI could not be done in software firewall ? <-QUOTE}

You would need to ask the developers\writers of software firewalls that.

They are both done in software firewalls too. Comodo firewall and pctools both have spi. Online Armor has a state table, which is like basic spi but security wise equivalent to it.

Some forum members have told me a good software firewall with spi is every bit as good as a properly configured router. Although others have opined that with a software firewalls there is always a chance that some service may get screwed up, or something may go wrong, in general the preference is for a NAT router, preferably with a hardware firewall. Although the NAT router without hardware firewall, as a byproduct of what it does offers equivalent protection as that with a hardware firewall.

EDIT: You might find this link instructive:http://www.wilderssecurity.com/showthread.php?t=246434

Thats very interesting.

I had some idea in my head that a hardware firewall had some sort of physical component to it , that allowed it to track traffic better than software.

But it doesn't.

:)

{QUOTE-> Thats very interesting.

I had some idea in my head that a hardware firewall had some sort of physical component to it , that allowed it to track traffic better than software.

But it doesn't.

:) <-QUOTE}
.
Although a dedicated firewall/router uses software not essentially different from the software firewall you load on your PC there are a number of advantages such as:
-The filtering done is not using CPU cycles on your PC.
-There is no potential for bad interactions with other programs
-It's a lot harder to attack the simple OS in a firewall Vs your PC

A common problem with firewall/routers is people don't secure them. It's important to change the default user name and password for accessing the settings and make sure the "remote management" option is off. It's also necessary to enable wireless encryption or turn off the wireless completely if it's not needed.

A firewall/router is so inexpensive that I think it makes sense to use one for the added security along with a software firewall on the PC.

{QUOTE-> Properly configured, a good router is basically invisible to the outside Net <-QUOTE}
This, actually is a complete myth, as was previously discussed here on many occasions. You should know better, ThunderZ ;)

{QUOTE-> A hardware firewall in a typical broadband router employs a technique called packet filtering, which examines the header of a packet to determine its source and destination addresses. This information is compared to a set of predefined and/or user-created rules that determine whether the packet is to be forwarded or dropped. A more advanced technique called Stateful Packet Inspection (SPI), looks at additional characteristics such as a packet's actual origin (i.e. did it come from the Internet or from the local network) and whether incoming traffic is a response to existing outgoing connections, like a request for a Web page. <-QUOTE}

This statement here, imo, totally messes up the terminology and thus is very uninformative. Packet filtering does not refer just to header inspection. Filtering of a packet may be done on various levels, be it 1. simple IP/Port check (from packet header info - stateless inspection [most home routers do this]), 2. inspection of TCP flags to determine the state of the packet (again from header info - partial SPI), 3. full inspection of all header parameters (full SPI), and 4. inspection of packet header as well as its payload (commonly referred to as DPI).

These are different levels of inspection and they all are some kind of "packet filtering". There may be many more levels of inbetween these examples, as every vendor will implement filtering differently. So the claim that "packet filtering" refers to IP/Port check only, is not correct.

I just found a pic that will illustrate all parameters of a TCP packet, the one in question here, in hope that it will shed some light on what should/could be filtered -

211549

Whether a router will provide better filtering than software firewall or vice-versa is not a generalized question. It would depend on filtering implemented in both router and software firewall in question. Personally, the argument that the main benefit of routers is that they are stand-alone appliances and cannot be "killed" as software firewalls, does nothing for me. A firewall's main role is to filter traffic, and first and foremost, it must do this flawlessly, at least down to TCP flags. In other words, I would rather use a packet filter that does a full SPI and can be killed in a blink of an eye, than a falsely advertised SPI with self-protection (example - many popular software firewalls).

{QUOTE-> I often see posts from people saying "I have a router so i'm ok" type of thing.

Why is this ? <-QUOTE}
From the aspect of security, they probably are "OK", as router drops unsolicited. But from the aspect of proper packet filtering... well, who cares... ::)

Seer:

What are the advantages to full spi(including TCP header inspection) over just a state table. You have told me previously that there is no security advantage if malformed packets are not dropped. So where is the advantage then?

{QUOTE-> What are the advantages to full spi(including TCP header inspection) over just a state table. You have told me previously that there is no security advantage if malformed packets are not dropped. <-QUOTE}
In most cases, packets with malformed headers are benign, and will be dropped by your TCP/IP stack even if the firewall misses them. Their TCP (we are talking "connection oriented" protocols here) flags are incorretecly set so they don't belong to any of the current connections and will deliver its payload nowhere. However...

{QUOTE-> So where is the advantage then? <-QUOTE}
there are cases where TCP packets with certain flag combinations, when sent in different sequences, can cause various kinds of problems - from merely "unstealthing" you (various types of scanning, null, xmas, fin, syn...) to breaking the connection itself or even bypassing the firewall.

Suppose you have a firewall that passes rst flaqgged packets regardless of the state of the syn flag. Furthermore, suppose this firewall also passes syn flag even if the rst flag is set. You can send a packet with the syn and rst flags set, get syn/ack as a reply, and establish a connection with the host behind the firewall.

Take a look at this explanation of the "3-way handshake (http://support.microsoft.com/kb/172983)", a sequence of establishing a TCP connection.

So where would the XP firewall be on terms of the packet filtering 1..4 ?

{QUOTE-> This, actually is a complete myth, as was previously discussed here on many occasions. You should know better, ThunderZ ;) <-QUOTE}


:-[ An over simplified statement made in a hurry. My bad. :-\

{QUOTE-> So where would the XP firewall be on terms of the packet filtering 1..4 ? <-QUOTE}

XP firewall will check down to at least TCP flags. Here's a thread (http://www.wilderssecurity.com/showthread.php?t=218517) dealing with this topic. XP firewall did very well in filtering Layer 3 & 4 OSI protocols.

{QUOTE-> :-[ An over simplified statement made in a hurry. My bad. :-\ <-QUOTE}

Don't worry, ThunderZ. Take care.

Thanks thats great.

I read Stems post before , but apart from him giving it a thumbs up , didn't follow the detail.

Am I the only one who finds firewalls confusing :)
& I'm in IT btw :)

Here is a very good Hardware firewall that does not rely on firmware and is guaranteed to be unhackable. I have been running one for almost two years and am very satisfied.
http://www.alphashield.com/